Story image

Phishing scams – a deep dive into this year’s cyber attack trends

16 Jul 2018

There’s no doubt email is the number one vector used to initiate attacks on organisations, and of those email attacks, phishing is king. According to a recent survey Mimecast conducted with Vanson Bourne, 94% of enterprise organisations had seen untargeted phishing attacks in the last 12 months, and 92% had seen targeted spear phishing attacks incorporating malicious links.

So, what’s contributing to this rise? We’re seeing hackers increasingly seeking to hijack popular events. In recent weeks, phishing scams have targeted events like the FIFA World Cup, and the end of financial year in Australia as people prepare to do their tax returns.

One notable campaign preying on unsuspecting football fans during the FIFA World Cup promised users the ability to download a match schedule, or to obtain a free pair of Adidas shoes - via a malicious link. Scams like this illustrate the difficulty of protecting organisations and individuals from bad actors who want to gain access to corporate networks or personal information.

These scams are also becoming harder to spot. The Adidas threat, for example, takes the form of a homographic attack.

Targeting Adidas customers, a longstanding partner of the FIFA World Cup, in this phishing attack, the letter “I” in the brand name displayed in the URL was replaced with a vertical character. When a user, mistaking the link for a genuine one, clicked through, they were taken to another web page, where they were prompted for credentials, and faced with the threat of malicious software being automatically downloaded. These attacks have been in the wild since 2001, but they have risen in popularity over the last twelve months.

The key to a homographic attack is what’s known as ‘punycode’. Using punycode, popular browsers will automatically substitute elements of the ASCII (American Standard Code for Information Interchange - a character encoding standard for electronic communication) character set in place of the Unicode characters used to display non-English languages online.

The result is that characters are replaced with similar characters from a non-English language, such as Cyrillic, and to the casual observer the domain being presented looks legitimate. 

These homograph attacks remain a particular problem because aside from being able to display the domain name in its punycode output to help warn users, the majority of major browsers, including Chrome, Safari, Firefox and Microsoft Edge are not able to comprehensively protect against them.

Another vector for phishing attacks is social engineering. Most recently, emails have been sent from multiple domains resembling invoices or tax statements from well-known companies such as accounting software firm Xero, office supply chain OfficeWorks, and the Australian Taxation Office.

These emails include a link prompting recipients to download a malicious file, downloading a banking trojan via compromised Sharepoint sites. For attackers, these emails represent easy pickings, because the recipient sees the logo of a trusted firm prominently displayed and won’t necessarily check the URL to ensure that it is legitimate.

When it comes to orchestrating email attacks, cybercriminals know that a person is sitting on the end of an email address, and the majority of these people are not security trained. Attackers will send these emails because they’re easy – using social engineering to get a user to click on a malicious link is simpler than complex network or application attack vectors.

Once the user clicks on one of these phishing emails, they are generally asked to enter log-ins, personal information or credit card data, or they are subject to an unwanted, malicious download (malware) that automatically harvests these credentials through key-logging or the monitoring of network connections without detection.

During peak periods such as the FIFA World Cup or tax deadlines, recipients are usually more willing to click on links that resemble something of interest to them and as a result, become less vigilant.

When it comes to human error, defending against these attacks remains complex. Humans are frequently cited as the weakest link in any security chain and so it can be hugely beneficial to employ automatic email security. This automated security is able to detect attacks such as the Xero, OfficeWorks and ATO attacks because the software checks the sender URLS and blocks those ones that are generated by non-legitimate sources.

While automated email protection remains the key defence against phishing attacks, user awareness can’t be forgotten. With the threat landscape constantly evolving, users can’t be expected to just figure out the good from the bad.

Training users can be as simple as getting people to check the email address and seeing if it makes sense given the type of email they have received. Or asking questions like – is it asking for something unusual – and if they hover over links, do those links go where they say they will? A couple of minutes spent asking the security team if a link or email is legitimate will save hours or days of effort and embarrassment if the email is fraudulent.

Email remains the number one attack vector, but with vigilance and software protection, it doesn’t have to be the downfall of your organisation.

Article by Mimecast A/NZ principal consultant Garrett O'Hara.

Avi Networks: Using visibility to build trust
Visibility, also referred to as observability, is a core tenet of modern application architectures for basic operation, not just for security.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.